Paper 2016/520

Universally Composable Two-Server PAKE

Franziskus Kiefer and Mark Manulis


Two-Server Password Authenticated Key Exchange (2PAKE) protocols apply secret sharing techniques to achieve protection against server-compromise attacks. 2PAKE protocols eliminate the need for password hashing and remain secure as long as one of the servers remains honest. This concept has also been explored in connection with two-server password authenticated secret sharing (2PASS) protocols for which game-based and universally composable versions have been proposed. In contrast, universally composable PAKE protocols exist currently only in the single-server scenario and all proposed 2PAKE protocols use game-based security definitions. In this paper we propose the first construction of an universally composable 2PAKE protocol, alongside with its ideal functionality. The protocol is proven UC-secure in the standard model, assuming a common reference string which is a common assumption to many UC-secure PAKE and PASS protocols. The proposed protocol remains secure for arbitrary password distributions. As one of the building blocks we define and construct a new cryptographic primitive, called Trapdoor Distributed Smooth Projective Hash Function (TD-SPHF), which could be of independent interest.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Major revision. 19th Information Security Conference (ISC) 2016
PAKEUniversal ComposabilitySmooth Projective Hashing
Contact author(s)
mark @ manulis eu
2016-05-29: received
Short URL
Creative Commons Attribution


      author = {Franziskus Kiefer and Mark Manulis},
      title = {Universally Composable Two-Server PAKE},
      howpublished = {Cryptology ePrint Archive, Paper 2016/520},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.